Limit simultaneous sessions by users, groups or organization units
You can create a rule to limit a user to only one simultaneous session. This rule can be created by user, group or user organizational unit and you can choose which type of session is restricted.
This example will give you a step-by-step guide on how to define a rule for a user group limiting every member to one concurrent workstation session.
Click on 'Protected accounts' in the menu tree. Open the desired group protected account if it already exists by double-clicking on its corresponding line. Otherwise you can create a protected account for the target group (procedure available here).
In the Protected account settings, display the 'General' section (the first section).
In 'Number of concurrent sessions allowed', adjust 'Workstation sessions' to 'Limited to'. Enter '1' as value.
Click on 'OK' to validate.
Every user of this group will be authorized to logon to one workstation session. If a user member of this group tries to open a second session while the previous is open, they will be denied logon. To logon to another workstation they will have to logoff their current session.
Some options are available to allow more flexibility:
Allow to logoff an existing session if the number of allowed sessions has already been reached
When trying to open another workstation session, users will have a prompt window allowing them to force logoff from their previous session. To switch on this option, adjust the corresponding drop-down list from 'Not configured' to 'Enabled'.
Allow only one unlocked interactive session
Users can open more than one session (in this example) but previous session(s) will be automatically locked once a new session is open. This ensures that no session stays open and free to exploit if the session owner is using another workstation. To switch on this option, adjust the corresponding drop-down list from 'Not configured' to 'Enabled'.
To learn more about these options, see the 'Protected account General' help section.